US Government Seeks Mandatory Cyber & Ransomware Reporting Requirements

In the wake of recent high-profile cyber and ransomware attacks, Congress and the Biden administration have joined forces, in an increasingly rare show of bipartisanship, to drive policy changes that would require many entities to report certain cyber incidents to the federal government. Importantly, the legislation would give entities 72-hours to report a cyber incident. This is especially notable given all the media attention calling for a 24-hour notification requirement.

Estimates suggest that at least 85% of the nation's non-defense, critical infrastructure is owned by the private sector. To date, the federal government has had limited authority over civilian cyber matters, and in some areas (e.g., ransomware) an even more limited understanding of the nature of the threat. Bad actors can range from the lone wolf, to sophisticated criminal and terrorist networks, to nation states intent on doing harm. Cyber threat actors are constantly evolving new tactics and technologies that take advantage of our interconnectedness, and the risks are increasing exponentially. Forbes reports that the more than 35 billion connected smart devices could rise to more than 75 billion by 2025.

The U.S. Federal Reserve has identified cybersecurity as one the top risks to our national economic security. The escalating number and severity of attacks has created enough political pressure on both sides of the aisle that Congress and the Administration are seeking to expand the authority of the federal government.

Top Democrats and Republicans on the Homeland Security committees in the House and Senate spent much of 2021 working in consultation with industry experts and other stakeholders to craft legislation. While the proposals vary slightly, House and Senate leaders are in the process of negotiating a compromise, which they plan to attach to "must pass" legislation in 2022, such as government funding bills

These proposals, commonly referred to as the Cyber Incident Reporting Act (CIRA), would expand authorities granted to the Cybersecurity and Infrastructure Agency (CISA) at the US Department of Homeland Security (DHS) to oversee, analyze and disseminate information about cyber-attacks against US entities. Both bills would also require certain entities to report 'covered cyber incidents.' 

The House and Senate versions of CIRA include several similar proposals, which are expected to be maintained in some form as the final details are negotiated:  

1. Mandatory reporting of certain covered cyber incidents to DHS CISA.
2. Empower DHS CISA to define "covered entities" subject to reporting requirements and set minimum thresholds defining a "cyber incident."
3. A 72-hour reporting timeline to DHS CISA after the cyber incident has occurred.
4. Non-covered entities may voluntarily report cyber incidents.
5. Limited liability coverage.
6. Empower DHS CISA to issue subpoenas.
7. Establish penalties for non-compliance, including civil action.  
8. Establish the timeline for DHS CISA to implement the new CIR program. 

There are additional CIRA provisions that House and Senate negotiators are considering, but their inclusion is less certain. These proposals could: 

• Require entities paying ransomware demands to file a report with DHS CISA within 24-hours of payment.
• Exempt certain small businesses, non-profits, and religious organizations.
• Exempt "white hat" hackers, government entities and other third-parties retained by the primary entity to discover system vulnerabilities.
• Determine the scope and limitations on use and sharing of incident reports with other federal agencies, departments, etc.
• Harmonize cyber reporting requirements, especially for entities already subject to federal, sector-specific cyber incident reporting regulations, rules and requirements.

As the process moves forward, the Buchanan Ingersoll & Rooney team is prepared to discuss how best to influence both the legislative and regulatory rulemaking processes as well as the implications new cyber incident reporting requirements will have on your entity and its strategic goals.

The federal government's intense focus on and response to growing cyber threats provides our clients with the opportunity to position their needs and interests as new laws and regulations are developed and implemented. Given the speed with which these laws, rules, requirements and penalties are drafted, there will certainly be unintended consequences impacting all of our clients.

In addition to the new CIRA requirements, the Buchanan Federal Government Relations (FGR) team anticipates additional congressional action because there is bipartisan support for the federal government to oversee the cybersecurity of our nations' critical economic and physical infrastructure. Buchanan's FGR team stands uniquely positioned to counsel our firm's clients on the latest developments as Congress, DHS CISA and other sector regulators expand their authority, rules, oversight and penalties in the cyber space.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.